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Abstract — We consider the problem of automatic generation 
of control strategies for robotic vehicles given a set of high- 
level mission specifications, such as "Vehicle x must eventually 
visit a target region and then return to a base," "Regions A 
and B must be periodically surveyed," or "None of the vehicles 
can enter an unsafe region." We focus on instances when all of 
the given specifications cannot be reached simultaneously due 
to their incompatibility and/or environmental constraints. We 
aim to find the least- violating control strategy while considering 
different priorities of satisfying different parts of the mission. 
Formally, we consider the missions given in the form of linear 
temporal logic formulas, each of which is assigned a reward that 
is earned when the formula is satisfied. Leveraging ideas from 
the automata-based model checking, we propose an algorithm 
for finding an optimal control strategy that maximizes the sum 
of rewards earned if this control strategy is applied. We demon- 
strate the proposed algorithm on an illustrative case study. 

I. Introduction 

Control strategy synthesis for robotic systems with high- 
level, complex, formally-specified goals has recently gained 
considerable attention in the robotics literature. A diverse 
set of techniques, including sampling and cell decomposition 
of the environment based on triangulations and rectangular 
partitions have been used to obtain discrete models of robotic 
systems; and a variety of temporal logics, including the 
Computation Time Logic (CTL) [20], Linear Temporal Logic 
(LTL) [4], [18], [19], [23], [24], and ^-calculus [15], [16] 
have been successfully utilized to express complex missions 
that arise in robotics applications. All these references focus 
on the control synthesis problem: find a control strategy that 
satisfies the given specification, if one exists; and report 
failure otherwise. 

The usual execution of many robotic systems, however, 
involves cases when the mission specification cannot be 
satisfied as a whole. Yet, in most such examples, it is 
desirable to synthesize a control strategy that fulfills the 
most important rules, although by (temporarily) violating 
some of the less important ones. Consider, for example, an 
autonomous car navigating in urban traffic. The car must 
reach its final destination while abiding by the rules of the 
road, in particular, staying in the right lane and avoiding 
collision with obstacles. However, for this robot (and a 
human driver), it is more important not to collide with any 
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Other car or pedestrian, than to stay in its own lane. In fact the 
latter rule is temporarily violated, for instance, when taking 
over a parked car 

Another example is from the popular literature. Isaac 
Asimov's "three laws of robotics" (see [1]) defines how 
robots shall interact with humans. According to these laws, 
a robot may violate any order given by a human operator, if 
another human life comes in danger Hence, the latter rule 
is issued a higher priority than the former one. 

Motivated by these examples, in this paper, we consider 
the problem of least-violating control synthesis, i.e., finding a 
control strategy that satisfies the most important pieces of the 
mission specification, even if the mission specification can 
not be fulfilled as a whole. The problem can be described 
as follows. Consider a deterministic transition system that 
models the robot and its environment. The states of the 
transition system may encode a select set of configurations 
of the robot (or n robots). Each state of the transition system 
is labeled with a set of atomic propositions. Examples for 
atomic propositions include "The robot is in a safe region," 
or "The first robot is in region A," etc. A list of mission 
specifications, including tasks that need to be fulfilled and 
rules that must be obeyed, is given in the form of linear 
temporal logic. Each specification in the list is assigned 
a priority. Roughly speaking, the least-violating synthesis 
problem is to find a trace over the transition system that 
satisfies as many high-priority tasks as possible. 

Our work is related to [21], [22], where the authors study 
the following problem: given an LTL specification and a 
model of a robot that does not satisfy this specification, 
decide whether or not the invalidity is limited to the pro- 
vided model. Related literature includes also [6], where the 
authors aim to pinpoint the (un)realizable fragments of the 
specification to reveal causes of the specification violation. ] 

Other related work includes the recent literature that aims 
to construct control strategies with minimal changes in the 
input. On one hand, in [9], [17], the authors aim to find a 
specification that (i) can be satisfied by the given model, 
and (ii) is close to the original specification according to a 
suitable metric. On the other hand, in [13] the author focuses 
on finding the least set of constraints (in the model) violating 
which results in the satisfaction of the specification and 
in [3], [5] the authors aim to repair model in the form of 
a transition system or a Markov chain in order to ensure the 
satisfaction a given CTL or PCTL formula, respectively. 

Arguably, our work in this paper is closest to the one 
presented in [8], where the authors consider a transition 
system with the variables partitioned into control inputs for 
the car, controllable environment variables and disturbances. 



The mission specifications are captured as an ordered set 
of LTL formulas <i> = (0i, </)„). The goal is to find 
the maximal index 1 < m < n and a strategy for the 
robot ensuring the satisfaction of the subset of formulas 
((/>!, . . . , regardless of the environmental disturbances. 

Variants of this problem have been addressed also from the 
perspective of control theory. For instance, in [7], the authors 
consider a system modeled as a Markov decision process and 
a set of specifications given in the form of Biichi automata, 
say Ai, ■ ■ . , An, each of which is assigned a reward, say 
rewi, . . . ,rewn- They aim to find a strategy maximizing 
the total reward gained for the specifications weighted by 
the respective probabilities with which they are satisfied. 
The solution builds on translating the problem into a linear 
programming problem. Unfortunately, the time complexity 
of their algorithm is exponential in the size of the automata. 

In contrast, our approach takes as input a deterministic 
transition system, a set of LTL formulas ipi, . . . ,(pn with 
rewards rewi, . . . , reWn, and we aim to construct a strategy 
maximizing the total reward gained for the specifications 
that are satisfied. We build the solution on the automata- 
based approach to model checking, which allows us to avoid 
exponential complexity (in the size of the input automata). 

The contribution of this paper can be summarized as 
follows. We propose an algorithm for finding a least-violating 
trajectory, when the given specification can not be satisfied as 
a whole. As opposed to a "brute-force solution" enumerating 
all the possible subsets of specifications and attempting to 
find a strategy for each subset, we build our solution on a 
single control strategy synthesis procedure, thus substantially 
reducing the overall computational cost. We demonstrate the 
proposed approach in an illustrative example. 

The rest of the paper is organized as follows. In Section HI] 
we fix some necessary notation and preliminaries. In Sec- 
tion [nil we introduce the problem and outline our approach 
to its solution. The solution, its correctness and complexity 
is then discussed in details in Section HV] Section [Vl presents 
an illustrative case study and we conclude in Section |VI] 

II. Preliminaries 

Given a set S, let \S\, 2'^, and S'^ denote the cardinality of 
S, the set of all subsets of S, and set of all infinite sequences 
of elements of S, respectively. A finite and infinite sequence 
of elements of S is called a finite and infinite word over S, 
respectively. Given a finite word w and a finite or an infinite 
word w' over S, we use w ■ w' and = w ■ w ■ w . . . io 
denote the word obtained by concatenation of w and w' , and 
by infinitely many repetitions of w, respectively. 

A. Model and Specification 

Definition 1 (Transition System) A labeled deterministic 
transition system is a tuple T — {S^ Smit^Tl:^, £■), where 
S is a finite set of states; Sinit G S is the initial state; 
TZ C S X S is a deterministic transition relation; 11 is a set 
of atomic propositions; C : S —?' 2^ is a labeling function. 



A trace of T is an infinite sequence of states r = sqSi . . . 
such that sq — Sinu and (si,Si+i) G TZ, for all i > 0. A 
trace r = sqSi . . . produces a word w(r) = C{so)£{si) 

Definition 2 (Formuias of tfie LTL) LTL formulas over 
the set n of atomic propositions are constructed inductively 
according to the following rules: 

::= T I TT I ^0 I 0A(/) I X(/) I U 

where T is a predicate that is always true, tt £ 11, ^ (nega- 
tion) and A (conjunction) are standard Boolean operators 
and X (next) and U (until) are temporal operators. 

LTL formulas are interpreted over infinite words over 2^^, 
such as those generated by the transition system from Def. [T] 
Informally speaking, the word w — ■w{0)w{l) . . . satisfies 
the atomic proposition tt (denoted by w |= tt), if tt is 
satisfied in the first position of the word w, i.e., if tt G w{0). 
The formula Xcf) states that cj) holds in the following state. 
The formula 0i U 02 states that (j>2 is true eventually, and 
(f>i is true at least until 02 is true. Furthermore, we define 
formulas F = T U and G = -i(F -10) that state that 
holds eventually and always, respectively. LTL formulas can 
express various long term missions, including surveillance 
(G F 0, always eventually visit 0), global absence (G -^ijj, 
globally avoid 0), reactivity (GF0i GF02, if 0i holds 
infinitely often, then so must 02), among many others. 

The language of all words that satisfy an LTL formula is 
denoted by £(0). With a slight abuse of notation, we extend 
the satisfaction relation to traces of T, i.e., a trace r satisfies 
(denoted by r |= 0) if and only if the word w produced 
by r satisfies 0. Similarly, a word w and a trace r satisfies 
a set of formulas ^> (w ^ ^> and r ^ $) if and only if 
ui 1= and T ^ 0, for all e respectively. 

Given a formula 0, we use |0| to denote the size of the 
formula, i.e., the number of operators present in 0, and we 
use 1*1 to denote X^^e* l'?^!- 

Definition 3 (w-Automaton) An co-automaton is a tuple 
A = (Q, ginit, S, 5, ylcc), where Q is a finite set of states; 
Qinit £ Q is the initial state; S is an input alphabet; 
S<^QxT,xQisa non-deterministic transition relation; 
Acc is the acceptance condition. 

The semantics of w-automata are defined over infinite 
input words over S (such as those generated by transition 
system from Def. [T]if S — 2^). A run of the w-automaton A 
over an input word w = w{0)w{l) ... is a sequence of states 
p = qoqi . . ., such that qo qinu, and {q^,w{i),qi+i) £ S, 
for all i > 0. A finite run over a finite word w^n = 
w{0) . . . w{l) is a finite sequence of states pfi^ = qo . . . qi+i, 
such that (qi, w{i), qi^i)) G S, for all i £ {0, ...,/}. 

A run p — qoqi ... is accepting if it satisfies the ac- 
ceptance condition Acc. For Biichi automata (BA), Acc is 
a set of states F C Q, and p is accepting if it intersects 
F infinitely many times. For generalized Biichi automata 
(GBA), the acceptance condition is a set of sets of states 



T — {Fi, . . . , i^m} C 2^5 and p is accepting if it intersects 
Fi infinitely many times for all Fi ^ T. K word w is 
accepted by A if there exists an accepting run over w. The 
language of all words accepted by A is denoted by L{A). 

An w-automaton is non-blocking if for all q E Q,a <E 
there exists q' G Q, such that {q,a,q') £ (5. For each uj- 
automaton A — {Q,qinit,'^,S, Acc) a language equivalent 
non-blocking w-automaton can be constructed simply by 
adding a new state qnew to Q and introducing a transition 
{q,a,qneiv) for all q e Q U {(?„£«.}, cr e S, satisfying the 
property that {q, a, q') ^ 5 for all q' G Q. 

Definition 4 (GBA to BA) A generalized BUchi automaton 
G = iQg,qinit,g, T.,6g,F = {Fi, . . . , i^„i}), can be trans- 
lated into a Biichi automaton B = {Q, qinit,'^, F), such 
that L(B) — L{G) as follows: Q = Qg x {1, . . . , m}; qmit — 
iqinit,g, 1); F ^ FiX {1}; and {{q,j),a, {q',j')) G S if and 
only if {q, a,q') G Sg, and 

• q ^ Fj and j' — j, or 

• q £ Fj and j' — (j mod m) + 1. 

Definition 5 (Automata Intersection) Given n Biichi au- 
tomata Bi,. . . ,Bk where Bi = {Qi,qinit,i,^-, Si-, Fi) for all 
1 < i < n, a Biichi automaton B = {Q,qinit,'^,S, F), 
such that L{B) — L{Bi) n . . . H L{Bn) can be built 
as follows: Q = Qi x . . . x (3„ x {1, . . . , n}; q.nit = 

{qinit.l,---,qinit.nA); F = Fi X Q2 X . . . X Qn X {1}; 

and ({qi,...,qn,j),a,{q[,...,q'„,j')) G 6 if and only if 
{qi,<7, q[) G 6i, for all i € {1, ... , n}, and 

• qj ^ Fj and j' = j, or 

• qj G Fj and j' = (j mod n) + 1. 

Intuitively, the set of states of B can be viewed as n copies 
(layers) of the Cartesian product of the sets of states Qi x 

... X Qn- 

Any LTL formula ip over 11 can be translated into a Biichi 
automaton B^ with alphabet 2^, such that — L{B^). 
A number of standard translation algorithms (see, e.g., [10], 
[12]) rely on a three-step procedure: First, the formula is 
normalized, second, it is translated into a generalized Biichi 
automaton and third, the obtained GBA is finally translated 
into a language-equivalent Biichi automaton (see Def. |4|. 

A weighted w-automaton A = {Q,qinit^'^,5,Acc,W) is 
an w-automaton, where Q, qinit, S, 6, Acc are defined in the 
usual way, and >V : (5 — N is a function assigning a weight 
to each transition. 

Let p = qoqi . . . and pfin = go ■ • ■ ^i+i be an accepting 
run over w — w{0)w{l) . . . and a finite run over Wfjn = 
w{0) . . . w{l) of a weighted Biichi automaton B, respectively. 
We use Frag(p) — {qi---qk \ Qi,qk £ and ^ 
F for all i < j < k} and Frag(/9fin) = {gi • . • qt \ qi, qk e 
F,0 < i < k < I and qj ^ F, for all i < j < k} to denote 
the set of all finite fragments of p and pfi^ that begin and end 
in an accepting state and do not contain any other accepting 
state. Note that each accepting run p and each finite run pfin 



corresponds to a unique sequence of fragments. With a slight 
abuse of notation, we use 

fe-i 

W{q,...qk)=Y.W{{q„wU),q,+,)) 

to denote the sum of the weights between the states of 
fragment qi . . .q^ of a run p over w (or a finite run pfi„ 
over Wfin). 

B. Automata-Based Model Checking and Strategy Synthesis 

Given a transition system T and a Biichi automaton B, 
the model checking problem is to prove or disprove that all 
traces of T satisfy B, whereas the control strategy synthesis 
problem is to find a trace of T that satisfies B. Both of 
these problems can be addressed by constructing a product 
automaton V that captures all the behaviors of T satisfying 
B and searching for an accepting run of V. 

Definition 6 (Product Automaton) A product automaton 
of a transition system T = (5, Si„it, 7?., 11, £) and a BA 
B = (Q, qinit,'^, F) is a Biichi automaton V = T ® 
B = {Qv,qinit,v,Sv, F-p), where Q-p = S x Q; qinit.v = 
(sinit, qinit); F-p = S X F; and {{s,q), {s',q')) G Sp if 
• (s, s') G TZ and {q, C{s),q') G S 

If B ^ (Q, Qmit, S, (5, -F, W) is a weighted Biichi automa- 
ton, V is also weighted: V = {Qpjqinit,!^,^!^, Fp,Wp), 
where (((s, g), (s', g'))) = W{{q, Cis),q')), for all 
iis,q),is\q'))eSp. 

The product automaton has a trivial alphabet, which is there- 
fore omitted. An accepting run p of the product automaton 
projects onto a trace r of T (denoted by r = a{p)) that sat- 
isfies the property captured by the Biichi automaton B. Vice 
versa, any trace of T satisfying the property corresponds 
to an accepting run of the product automaton. Furthermore, 
if there exists an accepting run pp of V, then there exists 
an accepting run p'-p of in a prefix-suffix structure, i.e., 
Pp = Pprcf • (Psuf )" for some finite sequences pprcf and Psuf 
of states of V, such that the first state of psui is an accepting 
state from Fp. 

The (weighted) product automaton can be viewed as a 
(weighted) graph (V, E) with the set of vertices V equal 
to the set of states Qp and the set of edges E (and their 
weights) given by the transition function Sp (and the weight 
function Wp) in the expected way. A simple path in "P is a 
sequence of states pi . . .pi such that {pj,pj+i) G Sp, for all 
i < .j < I, and pj — pji j = j', for all i < < I. A 
cycle is a sequence of states pi . . .pipi+i, where pi . . .pi is 
a simple path and pi+i = pi. A state p' reachable from p if 
there is a simple path from p to p' . 

Definition 7 (Maximal simple distance) The maximal 
simple distance from Pf € Fp to p in a weighted product 
automaton V is the maximal sum of edge weights on a 
simple path pi . . .pi from pi = pf to pi = p, such that 
Pj ^ F-p, for all i < j < I. 



Efficient graph search algorithms can be used for finding 
a prefix ppicf (a simple path from the initial state to an ac- 
cepting state in the product graph) followed by a periodically 
repeated suffix psuf (a cycle in the product graph containing 
an accepting state) of an accepting run p — pprcf ■ (psuf)" 
(a lasso-shaped path in the product graph). One of the 
standard algorithms to do so is nested depth-first search 
(DFS) [2], successfully implemented, for instance, in the 
pioneer model checker SPIN [14]. The (worst-case) running 
time complexity of this algorithm is linear in time and space 
with respect to the size (the number of states and transitions) 
of the product automaton P. 

III. Problem Formulation and Approach 

Let us consider a robot moving in a partitioned environ- 
ment with its motion capabilities modeled as a labeled transi- 
tion system T = {S, Sinit , Tl, H, C) from Def. [T] Each region 
of the environment is modeled as a state of the transition 
system and the robot's ability to move between two regions is 
represented as transition between the corresponding states. In 
case several controlled robots are placed in the environment, 
the states of the transition systems encode positions of all the 
robots in the environmental regions i.e., for k robots, a state 
corresponds to an fc-tuple of regions, where the i-th element 
of the tuple is the region in which the i-th robot is placed. 
The transitions between the states reflect the simultaneous 
motion capabilities of all the robots. The labeling function 
£ maps each state of the transition system to a subset of 
atomic propositions from 11 that hold true in this state, such 
as "Vehicle a; is in a safe region.". 

There is a set of high-level missions to be accomplished 
by the robotic system expressed as a set of LTL formulas 
$ ~ {01, ...,(/)„} over n with priorities of their satisfaction 
determined by a reward function rew : $ — >^ N. The value 
rew{(t>i) represents the reward that is gained if specification 
(f)i is accomplished. Without loss of generality, from now on, 
we assume that rew{(f)i) > rew{(j)j), for all 1 < i < j < n. 

Given a trace r of the transition system T, we define trace 
reward as the sum of the rewards of all formulas from $ 
that are satisfied on this run. 

Definition 8 (Trace Reward) Rewai-d of a trace rofT is 

Rew{T) — rew{(l)i). (1) 

We are now ready to formally state our problem of finding 
"the best" trace of T, i.e., "the least violating" motion of the 
robot (or the robots) in the environment with respect to the 
given set of mission specifications. 

Problem 1 Given 

• a transition system T = {S, Sinit, T^, n, C); 

• a set of LTL formulas $ = . . . , 0„} over 11; and 

• a reward function rew : $ — > N, 

find a trace t of T that maximizes Rew(T) from Eq. [7] 



Remark 1 Note, that if rew {(pi) = 2"^*, for each formula 
(pi e then the set $ is in fact ordered according to the 
standard lexicographic ordering. In other words, it is always 
more important to satisfy (pi than (pi+i A ... A 0„. 

A straightforward solution to Prob. [T] is to consider all 
the possible subsets = {(pi \ i G I}, / C {1, . . . , n} of 
formulas from $ and to find a trace t/ of T satisfying if 
such a trace exists. The search can be done using one of the 
known model-checking algorithms (e.g., the automata-based 
algorithm from Sec. HI). A trace t/ maximizing Rew{Tj) 
among the found ones maps to the desired robot path. How- 
ever, this brute-force solution is not efficient as it requires 
up to 2" model-checking procedure runs in the worst case. 

In this paper, we suggest a method to alleviate the high 
computational demand of this straightforward solution. The 
main idea builds on the automata-based approach to model- 
checking. We construct a single weighted Biichi automaton 
Ball for formula e# capture the rewards of the 

LTL formulas through its weights. Then, a weighted product 
automaton V — T <E> Baii is built and an optimal accepting 
run of V is sought using a modification of the nested-DFS 
algorithm, with the computational complexity only slightly 
worse in comparison to the original nested-DFS. Roughly 
speaking, instead of up to 2" model-checking procedure runs, 
we perform only a single execution of an altered model- 
checking algorithm. 

IV. Problem Solution 

This section introduces our solution to Prob. [T] in detail. 
First, we present the construction of the weighted Biichi 
automaton Baii and the weighted product automaton V. 
Second, the modified nested-DFS is given. Third, we discuss 
the solution correctness, completeness and complexity. 

A. Construction of the Weighted Automata 

Consider the set of mission specifications $ = 
{01, . . . , 0„} that are translated {e.g., using the algorithm 
from [10]) into generalized Biichi automata 

Qtpi = (Qi, 9mit,i, 5i,Ti = {FI, . . . , F™^}), . . . 

• • • J Qi'n {Qrii Q_init,m 5^ J>i {_Fm ■ ■ ■ i 

respectively. Without loss of generality, we assume that 
Gcfti , • • • , G<t,„ are all non-blocking. We build the weighted 
Biichi automaton Baii leveraging ideas from translation of 
generalized Biichi automata to Biichi automata (Def. |4| 
and from construction of a Biichi automaton for language 
intersection of several Biichi automata (Def. |5]l. 

Definition 9 (Weighted Biichi automaton) A weighted 
Biichi automaton Bail = {Q, Qinit,^', S, F,yV) is defined as 
follows: 

. Q = Qi X . . . X Q„ X 

({(j,0|l<J<",l<'<™^}U{(0,0)}); 

• Qinit = {<linit,l, ■ ■ ■ , Qinit,m (0, 0))," 

. t = {{qi,...,qn,{jJ)),'^,{q'l,---,q'nAf,l'))) ^ s if 

(ft: CTj Qi) G ^i' for all * G {1, • ■ • , n}, and 



1) = (0,0) and 

a) (j',/') = (0,0). Then W{t) = 0. 

b) / > 0,/' = 1. Then W{t) = reu;(0y). 

2) j ^ and 

a) (/, I') = a, I) and ^ Fj. Then W{t) = 0. 

b) I ^ TOj, (/, ?') = {j, I + 1) fl«t/ qj e Fj. TTzen 

= 0. 

c) I — rrijjj < n, j < j', I' = 1 and qj G Fj. 
Then W(t) — rew{(f)ji). 

d) I = mj,{j',l') — (0,0), and qj G Fj. Then 
W{t) = 0. 

. F = Qi X Q2 X ... X Q„ X {(0,0)}. 

Loosely speaking, the set of states of the automaton Bail 
can be viewed as layers, where the j-th layer consists of 
rrij components, for all I < j < n. Each component then 
involves a copy of each element from the Cartesian product 
Qi X ... X Qn- Within the j-th layer, the ^-th component 
is connected to the {I + l)-th component through transitions 
leading from The j-th layer is connected to the j'-th 

Til ■ 

through transitions leading from ' , for all j + 1 < j < 
n. These transitions are labeled with the reward rew{4>ji). 
Besides that, the layer consist only one component (0,0), 
whose states are all and the only ones accepting. From this 
component, transition leads to the first component of each 
layer, and dually, from the last component of each layer, 
transitions lead to this component. 

Note that the automaton Baii accepts all words satisfying 
specifications e*^ <?^«' ^'^^ — The weights 

associated with transitions connecting the layers determine 
the "quality" of a particular run, i.e., they capture which 
formulas are satisfied by this run. Particularly, if an accepting 
run enters the j-th layer infinitely many times, then it 
intersects all Fj G J-j infinitely many times and thus the 
satisfaction of is guaranteed. Furthermore, such a run 
contains infinitely many transitions weighted with rew{(j)j). 

Formally, the purpose of the weights of Baii is summarized 
as follows. Let us denote the component of a state as 
component{qi, (?„, (j, /)) = {j, I). 

Definition 10 (Run Reward) The reward of a run p of Bail 

is 

Rew{p) — max {C | C = W{qi . ■ .qi) for infinitely many 
fragments qi . . . qi G Frag(p)}. 

Intuitively, a run p can be split into a sequence of 
fragments that is associated with a respective sequence of 
fragment weights. The run reward is equal to the maximal 
weight that appears in the sequence of fragment weights 
infinitely many times. 

Lemma 1 Consider a word w — w(fS)w{V) . . ., where 
w \= and w ^ (j), for all (j) ^ There exists 

an accepting run p — q^qi ... of Bail over w, such 
that Rew{p) — X^^iG*^ rew{4>i). Furthermore, for each 



accepting run p' = q'^q'i . ■ ■ of Bail over w it holds, that 
Rew{p') < E^.e*, rew{(j)^). 

Proof: If w \= then there is an accepting run pi — 
qoqi . . ., for all 0,; G Let / = {ii, . . . According 
to the construction of Baii (Def. |9l), there exists a run p = 
PoPi ... of Ball, such that each fragment pfc . . .pk' £ Frag(yo) 
satisfies the following. 

component{pi-^) = (0,0) 
component(p{^i^^x^) ~ . . . — coraponent{pi^) — (ii, 1) 

component{pi^) = . . . = component{pi^) — (ii, \Fi-^ |) 
component{p(^i^^i'f) = . . . = component{pi^) — {12, 1) 

component{pig) ~ . . . = component{pi.^) = (12, \Fi^\) 

component (p 1^1^)) — . . . — coniponent(pig) — {ij, 1) 

component{pi-^g) = . . . = component{pi^^) — [ij, \Fi^ \ ) 
componentipi^^^^^^) = (0,0) 

where p;^ = pk, Pifn+D = Pk'- The total weight of such 
a fragment and hence also the reward of p is equal to 

e#j 4'i directly from the construction of Bail- 
On the other hand, assume that there exists a run 
p' ~ QqQi ■ ■ ■ '^^ ^aii over w such that Rew{p') > 

e*i ^^^('^»)- From the construction of the automa- 
ton Ball, this means that there exist infinitely many frag- 
ments pk-.-Pk' G Frag(p') with their weight larger than 
^0 rew{(t>i). Therefore, there exist ^ 4>/, and states 
p'l, . . . of Ball, such that component (p'j) — for 

all j G {1, . . . , |^/|}. Thus, the run p' can be projected to an 
accepting run of Bi over w, which is in contradiction with 
our assumption that w ^ 0/ for all (j>i ^ ^j. ■ 

The second step of our algorithm is the construction of a 
product automaton T' = T®Baii = {Qv,Pimt,Sv,F-p,Wv) 
(see Def. |6]l. Based on Lemma [H the product automaton 
satisfies the following: 

Lemma 2 Let t be a trace of T. Then, there exists a run 
p-p of V with T — a{p-p) such that the reward Rew^r) = 
Rew{p-p). Moreover, Rew{T) > Rew{p'^) for all p'^ with 

Proof: The proof follows directly from Lemma [T| 
and the fact that for each trace r that produces a word 
w — w{0)w{l) . . . accepted by a run p — q^qi ... of Baii, 
there exists an accepting run p-p = poPi ... in 7-", such that 
yV{{pi,Pi+i)) = yV{{qi,w{i),qi+i)) and qi G F pi G 

Fp, for all i > 0. ■ 

Lemma 3 For each run pp there exists a run p'-p in prefix- 
suffix structure, such that Rew{pp) = Rew{p'p). 



Proof: Because p-p — popi ... is infinite, there exist 
a state p e F-p that appears on p-p infinitely many times 
and there exist a fragment p . . .p' starting in p such that 
W{p ■ . - p') — Rew{pp). Because p occurs on pp infinitely 
many times, p is reachable from p' . Therefore, run pp is a 
sequence of states pp — popi . . .p . . .p' . . .p . . .. Let p'j, — 
PoPi . . .{p . . .p' . . .p)". Run p'j, is in prefix-suffix structure, 
it is accepting and Rew{pp) — Rewi^pp). H 

The three lemmas above provide us with guidance on 
computing the trace of T with the maximal reward: it is 
enough to compute a run of V, in the prefix-suffix structure, 
that maximizes Rew{pp) and project this run into a trace 
of T- This is stated in the following proposition. 

Proposition 1 Let r = sosi . . . be a trace of T, such that 
T \= and T ^ (j), for all cf) ^ Then, there exists an 
accepting run pp — (sq, 9o)('Si, ^i) ... in V such that 

(i) p-p is in prefix-suffix structure and 

(ii) Rew{pp) = E,/,.e*j 

The remaining task is to find a run pp satisfying the 
condition (i) of Proposition [T] and maximizing Rew{pp). The 
problem thus reduces to searching for a reachable cycle c (a 
repeated run suffix) in V beginning (and thus also ending) 
in an accepting state that maximizes the value 

Rew{c) ^ max 'W{pi...pi) (2) 

Pi...p, eFrag(c) 

among all such cycles. The following lemma helps narrow 
down the search even further, showing that it is enough to 
search for a particular type of cycle. 

Lemma 4 Given a cycle c in V and a fragment pi . . .pi G 
Frag(c), there exists a simple path pi...pi, such that 

Proof: From the construction of the automaton 
Ball, it follows that if there is a simple path from 
(gi,...,(?„,(0,0)) G Q to G Q in 

the automaton Baiu then there exists a simple path from 
(gi,...,(7„,(0,0)) to (gi, . . . (0, 0)) that contains only 
states q G Q, such that component {q) = (0,0). Thus, 
if there is a simple path from (s, gi, . . . , q„, (0, 0)) G 
Qp to {s' ,q[, . . . ,q',^, G Qp in the product au- 

tomaton P, then there exists also a simple path from 
(s,(7i, ...,(?„, (0,0)) to {s' ,q[, . . . ,q',^,{0,0)) that contains 
only states p G Qp, such that component{p) = (0, 0) The 
reward of such a simple path is 0. ■ 

Thanks to Lemma IH it is enough to search for a cycle c max- 
imizing Eq. |2] such that W{pi . . .pi) — 1, for all fragments 
Pi . . .pi G Frag(c), but one. Hence, without loss of general- 
ity, we can consider only cycles c = pi . . .pipi^i ■ ■ - Pi such 
that W{pi . . .pi) only for the first fragment pt . . .pi of 
the cycle. Such a cycle can be found by adapting standard 
nested depth-first search algorithm as we will show in the 
following section. 



Proposition 2 A maximal- reward trace of T can be ob- 
tained as a projection a{po . . .pi)- {a{c))'^ of a path pq . . .pi 
and a cycle c = pi+i ■ ■ -PiPi+i ■ ■ -Pi+i, such that 

• Po = qin-it.v, {puPi+i) e 5, pi+i G Fp, 

• W {pi+i . ■ . Pi) for the first fragment pi^i...pi G 
Frag(c) of the cycle is maximized, and 

• W{pj...pk) — 0, for all fragments pj...pk G 
Frag(pi+i . . .pi+i). 

B. Weighted Nested Depth-First Search 

This section aims at search for a path po . . .pi followed 
by a cycle pi+i-.-Pi+i satisfying conditions of Prop. |2] 
The solution is summarized in Alg. [T] to Alg. |3] The 
external functions used in the algorithms are summarized 
and explained in Table U 

First, let us focus on a solution to the following sub- 
problem: Given an accepting state Pf £ Fp, find a cycle 
c — pf . . .piPi+i ■ ■ - Pf that maximizes value >V(p/ . . .pi) 
in Eq. |2]for the first fragment pf . . .pi G Frag(c) among all 
cycles that begin and end in p/. A modification of breath-first 
graph search algorithm as described in Alg. |3]can be used 
to do so in C'dT'l) time and space thanks to the fact that 
the individual layers connected through non-zero weighted 
transitions form a directed acyclic graph. Intuitively, the 
algorithm systematically searches the graph V and maintains 
for each state p the approximation of the maximal simple 
distance (Def. |7| from pf to p. The correctness of the 
algorithm relies on the fact, that when p is processed on 
line|2]of the procedure propagate (Alg. HI, the value of p.dist 
is set to the actual maximal simple distance from pf to p. 
When all states that are reachable from state are visited in 
Alg.m the second phase (lines [T4ll25] l of Alg. [3] is executed 
to check whether p/ is also reachable from p, considering p 
one by one in descending order of their p.dist. 

Second, the cycle satisfying conditions of Prop. |2] can be 
found by running Alg. |3]from each p/ G F reachable from 
the initial state, potentially traversing the whole graph 
times. However, leveraging ideas from nested DFS algorithm, 
the complexity can be reduced. The idea is to run Alg. |3] 
from states in F-p in particular order that ensures the states 
visited during previous executions of Alg. |3]do not need to 
be visited again. In particular, in the standard nested DFS 
it holds that if a cycle is being sought from a state pj (so- 
called inner-search) that is reachable from p / and the search 
is unsuccessful, then later, when a cycle is sought from pf, 
the states visited in the inner-search from py do not have 
to be considered again. Based on this idea, we formulate 
the following lemma that explains the correctness of our 
approach. 

Lemma 5 Let p'^ G Fp be reachable from p f G Fp andp G 
Qp be reachable from both pj and p'j. If there exists a cycle 
c from state Pf £ Fp containing state p, then there exists a 
cycle c' from p'j, G Fp with reward Rew{c') > Rew{c). 

Proof: Because p/ is reachable from p, p is reach- 
able from p'p and p^ is reachable from pj, then pf is 



reachable from p'^. Therefore, there exists a cycle c' — 
p'j . . .pf . . .p. . .pf . . .p'j.-, wherep/ . . .p. . .pf = c. Clearly 
Rew{c') > Rew{c). ■ 



Alg. 3 longest_cycle_search(7',p/) 



find_arbitrary_trace(7') 

find_path(T',p,py) 

successors (p) 

stack .push{p) 

stack.topQ 

stacfc. top_and_pop() 

stack. pop{) 

reverse{stack) 



returns and arbitrary trace of TS T 

returns a path from p to pf inV 

returns the immediate successors of p in "P 

inserts p on the top of stack 

reads from the top of stack 

destructively reads from the top of stack 

removes element from the top of stack 

returns the elements of stack in the reversed 

order 



TABLE I: List of functions used in Alg. [T]E] 



Alg. 1 weighted_nested_DFS(P) 



Input: product automaton V 
Output: solution to Prob. [T] 

1: weight jnax — 0; prefix jmax — e; cyclejnax — e 

2: stackjauter = empty; visitedjouter — 

3: visitedjnner = S2\visitedjpa = 

4: for all p G Qv do 

5: p.dist — 0;p.pred = ± 

6: end for 

7: run := DFS{V, Pi„it) 
8: if run / e then 
9: return trace := a{run) 
10: else 

11: return find_arbitrary_trace(T) 
12: end if 



Alg. 2 DFS(P,p) 



Input: product automaton V, state p 

Output: run of V satisfying conditions of Prop. |2] 

1: stack_outer.push{p); viaitedjmter :— visited.outer U {p} 
2: repeat 

3: p' := stack^outer.topO 

4: if successors(p') \ visitedjouter ^ then 

5: pick p" G successors(p') \ visitedjouter 

6: stack_outer.push(p") 

7: visitedjouter := visited jDuter \J {p" } 

8: else 

9: stack jouter.popi) 

10: if p' G Fv then 
11: p'.dist ~ 0; p' .pred = ± 

12: cycle := longest_cycle_search('P, p') 

13: \t p' .dist > weight jnax then 

14: weightjnax :— p' .dist; cyclejnax := cycle 

15: prefixjmax := re\/erse{stack. outer) 

16: end if 

17: end if 
18: end if 

19: until [stackjyater = empty V weightjnax — n) 
20: return prefix jnax ■ (cyclejnax)'^ 



C. Algorithm Summary and Analysis 

The overall solution can be summarized as follows: 
1) Each of the formulas G $ is translated into a 
generalized Biichi automaton 



Input: product automaton V, accepting state p/ G F-p 
Output: cycle (pf, . . . ,pf) maximizing Eq. |2](if one exists) 



1 

2 
3 
4 
5 
6 
7 
8 
9 

10: 
11 
12 
13 
14 
15 
16 
17 
18 
19: 
20: 
21: 
22 
23 
24: 
25 
26: 



queue jCurr := (pf) 
for all 1 < i < n do 

queues.all[i] := empty 
end for 

to.search.from :— 

propagateCP, queuejourr, queuesjill, search.from) 
for all 1 < i < n do 

queue.curr :— queues ji,ll[i] 

if queue.current ^ empty then 

propagate('P, queue^curr, queuesjall, search.from) 

end if 
end for 
cycle := e 

order search.from decreasingly according to p.dist 
while search_from ^ empty do 
p :— searc/i_/rom.top_and_pop() 
path_suf :— find_path(P, p,p/) 
if path / e then 

Pf.dist := p.dist; path.pref := e 
repeat 

path_pref := (p.pred) ■ {pathjpref);p :— p.pred 
until p = Pf 

return cycle :— {path_pref) ■ (path^suf) 
end if 
end while 
return cycle := e 



Alg. 4 propagate(7-', queue^curr, queues ja.ll, search.from) 



9: 
10: 
11: 
12: 
13: 
14: 
15: 
16: 
17 
18 
19 



repeat 

p := gMewe_ciirr.front_and_pop() 
if p visitedjnner then 

visitedjnner := visitedjnner U {p} 
for all p' G succs(p) do 

if p'.dist < p.dist + Wt{p,p') then 

p' .dist := p.dist + VVp(p,p'); p' .pred :— p 

if component{p') = (0,0) A p' ^ search_from 

then 

search_from — search^from U {p'} 
end if 

if component(p') = component{p) then 

queue.curr. p ush (p' ) 
else if component (p') — i for some i > 1 then 

qiteMes_a//[j].push(p') 
end if 
end if 
end for 
end if 

until queuejaurr = empty 



2) A weighted Biichi automaton Bail is built (see Def. |9]l 

3) A weighted product automaton V ^ T ® Bail is 
constructed (see Def. |6]l. 

4) Alg. [T] is run on V. 

Correctness and Correctness: Based on Lemmas [T]-(5] and 
Propositions [T]-|2] the soundness and completeness properties 
of the algorithm are summarized in the following theorem. 

Theorem 1 (Soundness and completeness) Given a tran- 
sition system T, a set of LTL formulas ^ and the reward 



Junction rew, the suggested algorithm returns the solution 
to Prob. [7] 

Theorem 2 Let \T\ and |€>| denote the size of the input 
transition system and the size of the missions specification, 
respectively. The computational complexity of Alg. Q] is 
in 0(1 "Pi • log I "P I), where \'P\ is the size of the product 
automaton, which is in 0{\T\ ■ 2^^(1*1-'). 

Discussion: The translation from an LTL formula (p 
into a generalized Biichi automaton can be done in in 
2C(I0I) fjjjjg space. In particular, one of the well-known 
translation algorithms [10] transforms into a generalized 
Biichi automaton with at most 2l'^l states and \4>\ sets in its 
acceptance condition. If the obtained GBAs for specifications 
(j)i . . .(pn S ^ are all non-blocking, the worst-case size 
of Ball is 2(1*1) • (1 + 1*1). On the other hand, in case 
k of the obtained GBAs are blocking, the worst-case size 
of Ball is 2(1*1+'=) • (1*1 + fc + 1). Although the size 
of the resulting GBA is exponential with respect to the 
size of the input specification, the sizes of the individual 
formulas are usually small and in many cases, the GBAs 
are significantly smaller than the worst-case bound. Many 
optimizations techniques have been also developed among 
the formal methods literature to reduce the sizes of the GBAs. 

The size of the product automaton V is \T\ ■ \Baii\ in the 
worst case, with at most \T\ ■ 2(1*1+'=) in one component, 
where k is the number of blocking GBAs obtained in 
translation of the formulas from *. The cumulative number 
of steps made in sorting the set search_from on line [14] 
of Alg. [3] is bounded by OdL-pj • log IL-p]), where \L-p\ = 
{p G Q-p I co'mponent{p) = (0,0)} is the size of the initial 
component of V. Altogether, the complexity of Alg. [T]is in 
0{\V\ + \L-p\-\og\Lv\). 

In contrast, the "brute-force" approach that tries to find a 
trace satisfying for each */ C 4> has the worst time 
complexity characterized as follows. A Biichi automaton 
B^j for */ can be constructed with 2l*^l • |*/| number 
of states in the worst case. A nested DFS algorithm is 
then run on V — T ■ B^j, reaching complexity 0{\V\). 
Hence, the solution is linear with respect to the size of 

m-E*,c*2i*^i-i*,i. 

The benefit of our algorithm (Alg. [T} in comparison to the 
brute-force solution increases with the increasing number of 
non-blocking GBAs obtained from the translation from LTL 
formulas. Note, that for some LTL formulas, the smallest 
existing corresponding GBA is non-blocking. In particular 
many useful specifications, such as (reachability), G F 
(surveillance), GF^i Gf4>2 (reactivity), G(0i =^ F02) 
(response), or F(0i A F02) (sequencing), where (p,(pi,(p2 
are arbitrary Boolean combinations of atomic propositions, 
belong to this class. 

V. Rescue Mission Example 

Let us consider an example of a complex military rescue 
mission. Assume that friendly units Fi,F2, F3 have been 
captured in an enemy territory. They are guarded by enemy 




Base V Base 



(c) (d) 

Fig. 1: An example of a mission feaUiring conflicting specifications. The 
captm'ed friendly units Fi, F2, and ^3 are shown as green squares and 
the enemy units (the targets) Ti , . . . , T7 are illustrated as triangles. The 
respective firing ranges of the targets are depicted as yellow and red squares 
around the targets. The friendly vehicles Vi, V21 V3 are the blue dots, that 
can move along the edges of the rectangular grid. A visit of vehicle Vi or 
V2 into a location with a target is considered an engagement of the target. 
On the other hand, vehicle Vi,V2, or V3 entering a region within the firing 
range of a target to which it is vulnerable results in the loss of the vehicle. 
These rules are captured through irreversible transitions of the underlying 
state transition system. 

units (called targets) Ti , . . . , TV, which need to be engaged 
before an autonomous vehicle can proceed to pick up the 
captured friendly units and bring them to the friendly base. 
A particular configuration is depicted in Fig. [T](a). While 
friendly units Fi and F2 can be rescued by engaging targets 
Ti,T4, and T2,Tq,Tt, respectively, unit F3 can be rescued 
by engaging targets and T2. Suppose that we have 
two unmanned aerial vehicles (UAVs) Vi and V2 and an 
autonomous ground vehicle V3 under our command, with 
their capabilities and weaknesses as described below. 

« Vi can engage Ti,T3, is vulnerable to T2,Tc,, and can 
engage T4,Te,Tj at the cost of self-destruction (i.e., it 
can be sacrificed to engage a target T^^Tq, or T7). 

« V2 can engage T2,T^, is vulnerable to Ti^T^, and can 
engage T4,Te,Tj at the cost of self-destruction. 

• V3 can pickup and transport Fi , , ^3, but is vulnerable 
to all active targets. 

The mission is to rescue and pickup the friendly units 
Fi,F2 and F3 and bring them to the base (Base). At the 
same time, the ^oal is not to loose any of the vehicles 
Vi,V2,V3. Let py,, Py^^"^ and ay^ denote the atomic propo- 
sitions "Vehicle Vk is at the location of the friendly unit 
Fj", "Vehicle Vi is at Base", and "Vehicle Vg is active", 
respectively. Individual goals are expressed as LTL formulas 
(see Table and assigned priorities through the reward 
function. The reward function, among others, specifies that 



Mission Specification 


LTL Formula: </< 


rew(ip) 


Pickup Fi, and bring it to Base, 

f^r fill ^ /~ /I O Q\ 

tor all I t z, 0/ 


tor I G {1, 2, 3} 


10 


Do not pick up _F3 before picking 
up Fi, for all i G {1,2} 


for i G {1,2} 


10 


Do not lose vehicle and bring 
Vk to Base, for all k G {1, 2, 3} 


for A: G {1,2,3} 


1 



TABLE II: Mission specification. 



saving the friendly units is more important than not loosing 
the vehicles Vi , V2 , V3 . Note, that because enemy target T7 
cannot be destroyed by any of the vehicles at no cost to their 
integrity, at least one vehicle must be sacrificed to save the 
friendly units. Although not so obvious, one can also observe 
that friendly units Fi and F2 cannot both be rescued. 

In order to validate our algorithm, we developed a C+ + 
implementation which takes as an input a deterministic 
transition system and a list of generalized Biichi automata 
obtained from the LTL formulas with the use of an off-the- 
shelf tool such as LTL2BA [11]. The reward gained if the 
optimal control strategy of the vehicles is applied is 32 units, 
as expected. Figures [I](b)-[I](d) illustrate different stages of 
the system run. First, vehicles Vi and V2 engage enemy 
targets Ti and Ts, respectively (Fig.[T](b)). Then, Vi destroys 
enemy target T3 before launching a self-destructive attack 
on T4 (Fig. [T](c)). Later, vehicle V2 engages enemy target 
T2, and vehicle V3 proceeds to pickup Fi and F3, in that 
order (see Fig. [T|(d)). Finally, the remaining vehicles return 
to Base. 

VI. Conclusion and Future Work 

In this paper, we have studied the least-violating controller 
synthesis problem, i.e., roughly speaking, to find a trajectory 
that satisfies the most important pieces of the specification, 
when the specification can not be satisfied as a whole. 
We have proposed an algorithm that provides substantial 
computational savings when compared to a straightforward 
solution. We have analyzed the proposed algorithm in terms 
of correctness, completeness and computational complexity. 
We have also demonstrated the performance of the proposed 
algorithm on an illustrative example. 

There are many directions for future work. In particular, 
synthesis of optimal strategies that are least violating, and 
also synthesis of such strategies to be implemented in dy- 
namic environments are possible directions for future work. 

References 

[1] Isaac Asimov. /, Robot. Gnome Press, 1950. 

[2] Chiistel Baier and Joost-Pieter Katoen. Principles of Model Checking. 
MIT Press, 2008. 

[3] Ezio Bartocci, Radu Grosu, Panagiotis Katsaros, C. R. Ramakrishnan, 
and Scott A. Smolka. Model repair for probabilistic systems. In 
International Conference on Tools and Algorithms for the Construction 
and Analysis of Systems (TACAS), pages 326-340. Springer- Verlag, 
2011. 

[4] Amit Bhatia, Lydia .E. Kavraki, and Moshe .Y. Vardi. Sampling- 
based motion planning with temporal goals. In Proceedings of the 
IEEE International Conference on Robotics and Automation (ICRA), 
pages 2689-2696, 2010. 



[5: 

[6: 

u 
[s: 

[9 
[10 

[11 
[12: 

[13: 

[14 

[15: 

[16 

[17: 

[18: 
[19: 
[2o: 

[21 
[22: 

[23: 
[24: 



Erancesco Buccafurri, Thomas Liter, Georg Gottlob, and Nicola 
Leone. Enhancing model checking in verification by AI techniques. 
Artificial Intelligence, 112(l-2):57 - 104, 1999. 
A. Cimatti, M. Roveri, V. Schuppan, and A. Tchaltsev. Diagnostic 
information for realizability. In Proceedings of the International Con- 
ference on Verification, Model Checking, and Abstract Interpretation 
(VMCAI), pages 52-67, Beriin, Heidelberg, 2008. Springer- Verlag. 
Costas Courcoubetis and Mihalis Yannakakis. Markov decision 
processes and regular events. In IEEE Transactions on Automatic 
Control, 1998. 

Werner Damm and Bemd Finkbeiner. Does it pay to extend the 
perimeter of a world model? In Proceedings of the International 
Symposium on Formal Mehods (FM), pages 12-26, Berlin, Heidelberg, 

2011. Springer- Verlag. 

Georgios E. Fainekos. Revising temporal logic specifications for 
motion planning. In Proceedings of the IEEE International Conference 
on Robotics and Automation (ICRA), 2011. 

Paul Gastin and Denis Oddoux. Fast LTL to Biichi automata transla- 
tion. In Proceedings of International Conference on Computer Aided 
Verification (CAV), pages 53-65, London, UK, UK, 2001. Springer- 
Verlag. 

Paul Gastin and Denis Oddoux. LTL2BA tool, viewed September 

2012. URL: http://www.lsv.ens-cachan.fr/ gastin/ltl2ba/. 

Rob Gerth, Doron Peled, Moshe Y. Vardi, and Pierre Wolper Simple 
on-the-fly automatic verification of linear temporal logic. In Proceed- 
ings of the Fifteenth IFIP WG6.1 International Symposium on Protocol 
Specification, Testing and Verification XV, pages 3-18, London, UK, 
UK, 1996. Chapman & Hall, Ltd. 

Kris Hauser The minimum constraint removal problem with three 
robotics appHcations. In Proceedings of the International Workshop 
on the Algorithmic Foundations of Robotics (WAFR), 2012. 
Gerard J. Holzmann. The Spin Model Checker: Primer and Reference 
Manual. Addison-Wesley Professional, 2003. 

Sertac Karaman and Emilio Frazzoli. Sampling-based motion planning 
with deterministic /^-calculus specifications. In Proceedings of the 
IEEE Conference on Decision and Control ( CDC), pages 2222-2229, 
2009. 

Sertac Karaman and Emilio Frazzoli. Sampling-based optimal motion 

planning with deterministic /i-calculus specifications. In Proceedings 

of the American Control Conference (ACC), 2012. 

Kangjin Kim, Georgios Fainekos, and Sriram Sankaranarayanan. On 

the revision problem of specification automata. In Proceedings of the 

IEEE International Conference on Robotics and Automation (ICRA), 

2012. 

Marius Kloetzer and CaHn Bella. A fully automated framework for 
control of Hnear systems from temporal logic specifications. IEEE 
Transactions on Automatic Control, 53(1):287 -297, 2008. 
Hadas Kress-Gazit, Georgios E. Fainekos, and George J. Pappas. 
Temporal-logic-based reactive mission and motion plaiming. IEEE 
Transactions on Automatic Control, 25(6):1370-1381, 2009. 
Morteza Lahijanian, Joe Wasniewski, Sean .B. Andersson, and Calin 
Bella. Motion planning and control from temporal logic specifications 
with probabilistic satisfaction guarantees. In Proceedings of the IEEE 
International Conference on Robotics and Automation (ICRA), pages 
3227 -3232, 2010. 

Vasumathi Raman and Hadas Kress-Gazit. Analyzing unsynthesizable 
specifications for high-level robot behavior using Itlmop. In Pro- 
ceedings of International Conference on Computer Aided Verification 
(CAV), pages 663-668, 2011. 

Vasumathi Raman and Hadas Kress-Gazit. Automated feedback for 
unachievable high-level robot behaviors. In Proceedings of the IEEE 
International Conference on Robotics and Automation (ICRA), pages 
5156-5162, 2012. 

Stephen. L. Smith, Jana Tumova, Calin Bella, and Daniela Rus. Op- 
timal path planning for surveillance with temporal logic Constraints. 
International Journal of Robotics Research, 30(14): 1695-1708, 2011. 
Tichakom Wongpiromsam, Ufuk Topcu, and Richard M. Muixay. 
Receding horizon temporal logic planning for dynamical systems. In 
Proceedings of the IEEE Conference on Decision and Control and the 
Chinese Control Conference (CDC/CCC), pages 5997 -6004, 2009. 



